Support service_agents_config.skip_iam in project-factory and fast stages (#4007)

* Support service_agents_config.skip_iam in project-factory and fast stages * Fix inventories * Change service-agent creation/iam order
2026-06-01 12:04:54 +02:00
parent e3e261442f
commit 008a3719ad
22 changed files with 303 additions and 37 deletions
--- a/tests/modules/project_factory/examples/example.yaml
+++ b/tests/modules/project_factory/examples/example.yaml
@@ -14,6 +14,7 @@

 values:
  module.project-factory.google_network_security_dns_threat_detector.dns_threat_detector["dev-ta-app0-be"]:
+    deletion_policy: DELETE
    effective_labels:
      goog-terraform-provisioned: 'true'
    excluded_networks: []
@@ -30,6 +31,7 @@ values:
    cors: []
    custom_placement_config: []
    default_event_based_hold: null
+    deletion_policy: DELETE
    effective_labels:
      goog-terraform-provisioned: 'true'
    enable_object_retention: null
@@ -74,6 +76,7 @@ values:
  ? module.project-factory.module.automation-service-accounts["dev-tb-app0-0/automation/ro"].google_service_account.service_account[0]
  : account_id: dev-tb-app0-0-ro
    create_ignore_already_exists: null
+    deletion_policy: DELETE
    description: Team B app 0 read-only automation sa.
    disabled: false
    display_name: Service account ro for dev-tb-app0-0.
@@ -84,6 +87,7 @@ values:
  ? module.project-factory.module.automation-service-accounts["dev-tb-app0-0/automation/rw"].google_service_account.service_account[0]
  : account_id: dev-tb-app0-0-rw
    create_ignore_already_exists: null
+    deletion_policy: DELETE
    description: Team B app 0 read/write automation sa.
    disabled: false
    display_name: Service account rw for dev-tb-app0-0.
@@ -97,6 +101,7 @@ values:
    default_partition_expiration_ms: null
    default_table_expiration_ms: null
    delete_contents_on_destroy: false
+    deletion_policy: DELETE
    description: Terraform managed.
    effective_labels:
      goog-terraform-provisioned: 'true'
@@ -147,6 +152,7 @@ values:
      threshold_percent: 0.75
    timeouts: null
  module.project-factory.module.billing-budgets[0].google_monitoring_notification_channel.default["billing-default"]:
+    deletion_policy: DELETE
    description: null
    display_name: Budget email notification billing-default.
    enabled: true
@@ -163,6 +169,7 @@ values:
    cors: []
    custom_placement_config: []
    default_event_based_hold: null
+    deletion_policy: DELETE
    effective_labels:
      goog-terraform-provisioned: 'true'
    enable_object_retention: null
@@ -186,6 +193,7 @@ values:
    versioning:
    - enabled: false
  module.project-factory.module.buckets["dev-ta-app0-be/app-0-bucket-a"].google_tags_location_tag_binding.binding["context"]:
+    deletion_policy: DELETE
    location: europe-west8
    parent: //storage.googleapis.com/projects/_/buckets/test-pf-dev-ta-app0-be-app-0-bucket-a
    tag_value: tagValues/654321
@@ -195,6 +203,7 @@ values:
    cors: []
    custom_placement_config: []
    default_event_based_hold: null
+    deletion_policy: DELETE
    effective_labels:
      goog-terraform-provisioned: 'true'
    enable_object_retention: null
@@ -232,18 +241,21 @@ values:
    - group:team-a-admins@example.org
    role: roles/viewer
  module.project-factory.module.folder-1["team-a"].google_folder.folder[0]:
+    deletion_policy: DELETE
    deletion_protection: false
    display_name: Team A
    parent: folders/5678901234
    tags: null
    timeouts: null
  module.project-factory.module.folder-1["team-b"].google_folder.folder[0]:
+    deletion_policy: DELETE
    deletion_protection: false
    display_name: Team B
    parent: folders/5678901234
    tags: null
    timeouts: null
  module.project-factory.module.folder-1["team-c"].google_folder.folder[0]:
+    deletion_policy: DELETE
    deletion_protection: false
    display_name: Team C
    parent: folders/5678901234
@@ -266,6 +278,7 @@ values:
    tag_value: tagValues/123456
    timeouts: null
  module.project-factory.module.folder-2["team-a/app-0"].google_folder.folder[0]:
+    deletion_policy: DELETE
    deletion_protection: false
    display_name: App 0
    tags: null
@@ -299,16 +312,19 @@ values:
      - {}
    timeouts: null
  module.project-factory.module.folder-2["team-b/app-0"].google_folder.folder[0]:
+    deletion_policy: DELETE
    deletion_protection: false
    display_name: App 0
    tags: null
    timeouts: null
  module.project-factory.module.folder-2["team-c/apps"].google_folder.folder[0]:
+    deletion_policy: DELETE
    deletion_protection: false
    display_name: Apps
    tags: null
    timeouts: null
  module.project-factory.module.folder-3["team-c/apps/test"].google_folder.folder[0]:
+    deletion_policy: DELETE
    deletion_protection: false
    display_name: Test
    tags: null
@@ -326,11 +342,13 @@ values:
      - topic: projects/my-cai-feeds-project/topics/feed
    timeouts: null
  module.project-factory.module.folder-4["team-c/apps/test/app-x"].google_folder.folder[0]:
+    deletion_policy: DELETE
    deletion_protection: false
    display_name: App X
    tags: null
    timeouts: null
  module.project-factory.module.kms["dev-ta-app0-be/my-keyring"].google_kms_crypto_key.default["my-key"]:
+    deletion_policy: DELETE
    effective_labels:
      goog-terraform-provisioned: 'true'
    labels: null
@@ -347,6 +365,7 @@ values:
    project: test-pf-dev-ta-app0-be
    timeouts: null
  module.project-factory.module.kms["dev-ta-app0-be/my-keyring"].google_tags_location_tag_binding.binding["context"]:
+    deletion_policy: DELETE
    location: europe-west1
    tag_value: $tag_values:context/project-factory
    timeouts: null
@@ -428,6 +447,7 @@ values:
    - user:user@example.com
    role: roles/resourcemanager.tagUser
  module.project-factory.module.projects-iam["dev-tb-app0-0"].google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+    deletion_policy: DELETE
    project: test-pf-dev-tb-app0-0
    timeouts: null
  ? module.project-factory.module.projects-iam["dev-tb-app0-0"].google_project_iam_audit_config.default["storage.googleapis.com"]
@@ -542,30 +562,35 @@ values:
    project: test-pf-dev-ta-app0-be
    role: roles/pubsub.serviceAgent
  module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["compute.googleapis.com"]:
+    deletion_policy: DELETE
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-dev-ta-app0-be
    service: compute.googleapis.com
    timeouts: null
  ? module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["container.googleapis.com"]
-  : disable_dependent_services: false
+  : deletion_policy: DELETE
+    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-dev-ta-app0-be
    service: container.googleapis.com
    timeouts: null
  module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["pubsub.googleapis.com"]:
+    deletion_policy: DELETE
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-dev-ta-app0-be
    service: pubsub.googleapis.com
    timeouts: null
  ? module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["stackdriver.googleapis.com"]
-  : disable_dependent_services: false
+  : deletion_policy: DELETE
+    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-dev-ta-app0-be
    service: stackdriver.googleapis.com
    timeouts: null
  module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["storage.googleapis.com"]:
+    deletion_policy: DELETE
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-dev-ta-app0-be
@@ -627,18 +652,21 @@ values:
    project: test-pf-dev-tb-app0-0
    role: roles/run.serviceAgent
  module.project-factory.module.projects["dev-tb-app0-0"].google_project_service.project_services["run.googleapis.com"]:
+    deletion_policy: DELETE
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-dev-tb-app0-0
    service: run.googleapis.com
    timeouts: null
  ? module.project-factory.module.projects["dev-tb-app0-0"].google_project_service.project_services["stackdriver.googleapis.com"]
-  : disable_dependent_services: false
+  : deletion_policy: DELETE
+    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-dev-tb-app0-0
    service: stackdriver.googleapis.com
    timeouts: null
  module.project-factory.module.projects["dev-tb-app0-0"].google_project_service.project_services["storage.googleapis.com"]:
+    deletion_policy: DELETE
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-dev-tb-app0-0
@@ -690,18 +718,21 @@ values:
    project: test-pf-dev-tb-app0-1
    role: roles/container.defaultNodeServiceAgent
  ? module.project-factory.module.projects["dev-tb-app0-1"].google_project_service.project_services["container.googleapis.com"]
-  : disable_dependent_services: false
+  : deletion_policy: DELETE
+    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-dev-tb-app0-1
    service: container.googleapis.com
    timeouts: null
  ? module.project-factory.module.projects["dev-tb-app0-1"].google_project_service.project_services["stackdriver.googleapis.com"]
-  : disable_dependent_services: false
+  : deletion_policy: DELETE
+    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-dev-tb-app0-1
    service: stackdriver.googleapis.com
    timeouts: null
  module.project-factory.module.projects["dev-tb-app0-1"].google_project_service.project_services["storage.googleapis.com"]:
+    deletion_policy: DELETE
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-dev-tb-app0-1
@@ -723,6 +754,7 @@ values:
    timeouts: null
  module.project-factory.module.projects["teams-iac-0"].google_iam_workload_identity_pool.default["test-0"]:
    attestation_rules: []
+    deletion_policy: DELETE
    description: null
    disabled: null
    display_name: Test pool.
@@ -746,6 +778,7 @@ values:
      attribute.workflow: assertion.workflow
      google.subject: assertion.sub
    aws: []
+    deletion_policy: DELETE
    description: null
    disabled: false
    display_name: GitHub test provider.
@@ -786,18 +819,21 @@ values:
    project: test-pf-teams-iac-0
    role: roles/container.defaultNodeServiceAgent
  module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["container.googleapis.com"]:
+    deletion_policy: DELETE
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-teams-iac-0
    service: container.googleapis.com
    timeouts: null
  ? module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["stackdriver.googleapis.com"]
-  : disable_dependent_services: false
+  : deletion_policy: DELETE
+    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-teams-iac-0
    service: stackdriver.googleapis.com
    timeouts: null
  module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["storage.googleapis.com"]:
+    deletion_policy: DELETE
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-pf-teams-iac-0
@@ -808,6 +844,7 @@ values:
    service: container.googleapis.com
    timeouts: null
  module.project-factory.module.pubsub["dev-ta-app0-be/app-0-topic-a"].google_pubsub_topic.default:
+    deletion_policy: DELETE
    effective_labels:
      goog-terraform-provisioned: 'true'
    ingestion_data_source_settings: []
@@ -832,6 +869,7 @@ values:
  : bigquery_config: []
    cloud_storage_config: []
    dead_letter_policy: []
+    deletion_policy: DELETE
    effective_labels:
      goog-terraform-provisioned: 'true'
    enable_exactly_once_delivery: false
@@ -850,6 +888,7 @@ values:
      goog-terraform-provisioned: 'true'
    timeouts: null
  module.project-factory.module.pubsub["dev-ta-app0-be/app-0-topic-b"].google_pubsub_topic.default:
+    deletion_policy: DELETE
    effective_labels:
      goog-terraform-provisioned: 'true'
    ingestion_data_source_settings: []
@@ -895,6 +934,7 @@ values:
  module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_service_account.service_account[0]:
    account_id: app-0-be
    create_ignore_already_exists: null
+    deletion_policy: DELETE
    description: null
    disabled: false
    display_name: Backend instances.
@@ -920,6 +960,7 @@ values:
  module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-fe"].google_service_account.service_account[0]:
    account_id: app-0-fe
    create_ignore_already_exists: null
+    deletion_policy: DELETE
    description: null
    disabled: false
    display_name: Frontend instances.
@@ -938,6 +979,7 @@ values:
  module.project-factory.module.service-accounts["dev-tb-app0-0/vm-default"].google_service_account.service_account[0]:
    account_id: vm-default
    create_ignore_already_exists: null
+    deletion_policy: DELETE
    description: null
    disabled: false
    display_name: VM default service account.
@@ -956,6 +998,7 @@ values:
  module.project-factory.module.service-accounts["dev-tb-app0-1/app-0-be"].google_service_account.service_account[0]:
    account_id: app-0-be
    create_ignore_already_exists: null
+    deletion_policy: DELETE
    description: null
    disabled: false
    display_name: Backend instances.
@@ -966,6 +1009,7 @@ values:
  module.project-factory.module.taxonomies["dev-tb-app0-0"].google_data_catalog_taxonomy.default:
    activated_policy_types:
    - FINE_GRAINED_ACCESS_CONTROL
+    deletion_policy: DELETE
    description: Taxonomy - Terraform managed
    display_name: taxonomy
    project: test-pf-dev-tb-app0-0